Zona Walton [ADP - Global Business Resiliency] and I spoke at a private conference last month. The title of our session was The Future of Resiliency. We explored the idea that the future of resiliency isn’t resiliency; that is, it will be something else.
In our session, we covered the critical aspects of rolling out and maintaining a global supply chain operational risk – business continuity program. Supply chain leaders are naturally gifted at managing risk, as it is part of their daily lives. But, supply chains are naturally dynamic (i.e., disruptive), which makes many of our traditional operational risk – business continuity techniques ineffective. Supply chain leaders need risk management techniques and tools to help them make decisions, solve problems, and communicate in complex environments.
Learning objectives covered:
Common pitfalls (i.e. too fast, too big) of risk and resiliency supply chain rollouts.
The necessary methodologies, tools, and roadmaps to be successful in today’s complex, nonlinear, supply-chain environments.
While artists, athletes, and performers struggle to make their mark in the public eye with a memorable act or viral moment, a different type of celebrity has been emerging on the scene - the spokesperson for a crisis.
Here’s a quick exercise to highlight the point:
Jeffrey Boyd, Lew Frankfort, and Stephen Hemsley. Do these names sound familiar?
If not, don’t feel bad. They are the CEO’s of Priceline.com, Coach, and UnitedHealth Group, respectively.
Now, how about the names Tim Cook and James Comey?
We can immediately recall them as the CEO of Apple and the FBI Director, respectively, feuding over a locked iPhone involving a federal investigation of the San Bernardino shooting.
The media diligently covered Cook and Comey’s debate for more than three months. During that time, both men emerged as stars in a cast of characters ranging from lawyers, judges, politicians, and even presidential candidates. The media and public tuned in to hear their perspectives on data privacy, security, technology, civil rights, and terrorism.
When working with the masses [end-users; not experts in risk management, business continuity, crisis management], I find it beneficial to present clear, concise, and concrete packaged solutions. People need guidance and structure to help them think through problems and build effective plans. This is one of the reasons Lootok created the 8Rs™ of Resiliency. The goal the 8Rs is to reduce uncertainty, simplify complexity, structure thinking and dialogue, build common ground, and establish preparatory activities. The 8Rs facilitates planning with a plan as the end deliverable (i.e., plans are the byproduct of planning). The 8Rs are designed to provide people with a set of options they can employ to continue operations under various threats and timelines. The 8Rs™ of Resiliency comprises of the following:
Relocate - physical moving assets (e.g., people, technology, equipment) to another location
Reassign – transferring processes (i.e., work) to another location
Repair / Replace – capabilities in place to fix the problem at time of event
Reinforce – fortify, strengthen, assets to tolerate greater impacts and occurrences
Replicate – simultaneous production (i.e., processes, technology, work) at two locations [duplication]; active-active
Redundancy - extra capacity and inventory
Risk Transfer – shift risk to other entities through insurance, contracts, and risk pooling
Relinquish – do nothing [e.g., too cost prohibitive]; risk acceptance strategy
“How did you go bankrupt?”
“Two ways. Gradually, then suddenly.”
- Ernest Hemingway, The Sun Also Rises
I was working with a head of risk management—the chief risk officer—at a global organization that does not have a GSOC. One night over dinner, I asked him why his organization didn’t have one, and suggested he spearhead the initiative. His response? “I’m not convinced we need one. The organization has always operated without a GSOC, so why start now?” He also said, “The reality is, we’re already doing it here and there. The system works fine. Let people do their thing.” Something that seemed so obvious to me and so unnecessary to him left me on the defensive and him on offense.
The reality is, if you’re a global organization, you need a GSOC—or some version of it. If you don’t have one, you will need to communicate the severity of the situation and get one. Allow me to illustrate the need for such capabilities so you can justify the business case to your leadership and board…
Since starting Lootok, once a year I go to Rochester, Minnesota, my home State, to take my annual executive physical at the Mayo Clinic. It gives me a good reason to get back to Minnesota to visit family and friends, while maximizing my medical checkups. In just two days, more than fifteen doctors evaluate me. Risk management shares many similarities with the medical field, and it’s where you find the best analogies and metaphors. I wanted to share few of the insights I have gleaned over my time at Mayo.
Risk management is analogous to the immune system. It is not a thing or part. It is a system that co-exists within other systems that must properly function with a larger system called the organization | organism. You cannot just fix the immune system, buy it, or expect miraculous resiliency overnight. The immune system must be earned, strengthened and maintained every day. You need healthy habits, positive attitude and healthy living and work environments, proper planning and long-term vision and dedication, so forth. Risk management works the same way. Risk management also has the same challenges as our immune system: we don’t think much about it until something goes wrong.
I had the pleasure to interview Gary Klein the author of “Seeing What Others Don’t,” “Streetlights and Shadows,” “Working Minds,” and “Sources of Power.” His research and experience is invaluable to anyone in the field of risk management. In this interview, Gary talks about the difference between a well-ordered domain (i.e., normal business environment) and complex domain (i.e., crisis environment). Understanding the characteristics and attributes of each environment is critical to understanding what tools, processes, and capabilities needed to be successful in each environment.
Many of us business continuity management (BCM) professionals are convinced that a business impact analysis (BIA) is a “must-have” for any company. On top of that, we often believe the more information we gather, the better. But after the enormous effort to collect mountains of data and conduct endless interviews, we end up with little value to show for it.
Doing a BIA is expected of us, but do companies actually need a BIA? I guarantee that conducting an extensive BIA project is a quick way to exhaust your resources, stall your program agenda, and taint the reputation of your program. But if you’re willing to question why you’re doing a BIA, and then facilitate the process in a practical way for participants, you can maximize your investment. This eBook explores how to do this, and why it matters.
As BCM professionals, we’ve long believed in the myth that a plan is our key to recovery during a disruption. Often, we hyper-focus on the plan as undeniable proof that the right actions will be taken in an incident. This is the worst possible approach. Learn why in our eBook, The plan is the promised land, the first in Lootok’s series on the five myths of business continuity management (BCM)!
An ISO-aligned business continuity plan includes business continuity procedures for managing a disruption and continuing operations, based on recovery objectives identified in its business impact analysis.
In today’s business world, we are all faced with multiple responsibilities. It is easy to let things like business continuity, disaster planning, and crisis management fall to the bottom of the list, especially when there have been no recent crises to remind us of their importance. But planning for failure can contribute to your company’s success. Both in the event of an incident and in improving your current workflow, obstacles to continuity often turn out to be obstacles to success.
The fact that Tokyo found the nuclear reactors in a worse state than previously announced underscores the need for honest, factual information for public consumption, and the importance of media in delivering this communication. The age where authorities view the public as a panicky wildcard that needs to be soothed, rather than as an equal partner in mitigating and recovering from a disaster, must come to an end – especially in a world where, thanks to the internet and information networks, information is disseminated to a wider audience at a faster rate than history has ever experienced before.
Was the community immediately surrounding Tepco’s reactor integrated in mitigation efforts prior to the incident? Subsequent actions and the announcement of possibly 30 billion dollars in claims indicate the opposite.